How to secure WFS services?
WFS doesn't have security as part of the standard, but you can use HTTPS without problem. The OpenGIS Web Feature Service (WFS) Implementation Specification (04-094) [s. 6.3.4] says:
The use of HTTPS does not affect the description of the requests and responses described in this specification but may require additional actions to be taken on both the client and the service in order to initiate the secure communication.
So essentially it's entirely up to you to implement any HTTPS functionality. Mapserver can cope with HTTPS as far as I can tell, but I've never tried it. In fact I'd be very interested in seeing what you come up with.
If you would like to manage access to this service unobtrusively, via a single sign on solution you can implement the following. Currently there are no open source services that implement this type of security solution.
The first part, is a web service that acts as a mediator between the WFS and the user. This web service will manage the user access to WFS layers and perform the necessary cross checks with an Active Domain or Kerberos Authentication access control. This service will pass through to the WFS server those requests that are authenticated and permitted. This is a Marshaling web service.
The second part is to enforce the WFS server to only trust requests from the Marshaling Service. This is a web server feature that limits the IP's from which it will accept connections/requests.
There are Marshaling services out there for sale. I personally wrote my own to secure a GeoServer instance so it could integrate into a very large Microsoft shop. It allowed be to assign users to groups and manage access to datasets through the Marshaling service.
Guaranteed to be secure and not affect the performance of communication.
If you want diagrams of this infrastructure for clearer understanding or the names of some vendors let me know (email). I'm not affiliated in any way with vendors, I just know their names. I prefer to write my own ;)
This may be a good Open source project :) :)